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Abstract. This article formalizes an abstraction of input/output re- 
lations, based on parameterized zonotopes, which we call affine sets. 
We describe the abstract transfer functions and prove their correctness, 
which allows the generation of accurate numerical invariants. Other ap- 
plications range from compositional reasoning to proofs of user-defined 
complex invariants and test case generation. 

1 Introduction 

We present in this paper an abstract domain based on affine arithmetic [3] to 
bound the values of variables in numerical programs, with a real number seman- 
tics. Affine arithmetic can be conceived as describing particular polytopes, called 
zonotopes [19], which are bounded and center-symmetric. But it does so by ex- 
plicitly parametrizing the points, as affine combinations of symbolic variables, 
called noise symbols. This parametrization keeps, in an implicit manner, the 
affine correlations between values of program variables, by sharing some of these 
noise symbols. It is tempting then to attribute a meaning to these noise symbols, 
so that the abstract elements we are considering are no longer merely polytopes, 
but have a functional interpretation, due to their particular parametrization: we 
define abstract elements as tuples of affine forms, which we call affine sets. They 
define a sound abstraction of relations that hold between the current values of 
the variables, for each control point, and the inputs of a program. The interests 
of abstracting input /output relations are well-known [5] , we mention but a few: 
more precise and scalable interprocedural abstractions, proofs of complex invari- 
ants (involving relations between inputs and outputs), sensitivity analysis and 
test case generation as exemplified in [7J. 

An abstract domain relying on such affine forms has been described in [8lllll3j , 
but these descriptions miss complete formalization, and over-approximate the 
input/output relations more than necessary. In this paper, we extend this pre- 
liminary work by presenting a natural framework for this domain, with a partial 
order relation that allows Kleene like iteration for accurately solving fixed point 
equations. In particular, a partial order that is now global to the abstract state, 
and no longer defined independently on each variable, allows to use relations 
also between the special noise symbols created by taking an upper bound of two 
affine forms. Our results are illustrated with sample computations and geometric 
interpretations . 
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A preliminary version of this abstract domain, extended to analyse the uncer- 
tainty due to floating-point computations, is used in practice in a real industrial- 
size static analyser - FLUCTUAT - whose applications have been described in 
|7ll4j . A preliminary version of this domain, dedicated to the analysis of compu- 
tations in real numbers, is also implemented as an abstract domain - Taylorl+ 
[8] - of the open-source library APRON [T7] . 

Related work Apart from the work of the authors already mentioned, that uses 
zonotopes in static analysis, a large amount of work has been carried out mostly 
for reachability analysis in hybrid systems using zonotopes, see for instance [9]. 
One common feature with our work is the fact that zonotopic methods prove to 
be precise and fast. But in general, in hybrid systems analysis, no union operator 
is defined, whereas it is an essential feature of our work. Also, the methods 
used are purely geometrical: no information is kept concerning input/output 
relationships, e.g. as witnessed by the methods used for computing intersections 
[TO] . Zonotopes have also been used in imaging, in collision detection for instance, 
see |16j . where purely geometrical joins have been defined. 

Recent work in static analysis by abstract interpretation for input/output 
relations abstraction and modular analyses can be found in [B] , where an exam- 
ple is given in particular using polyhedra. In [5] , it is shown that some classical 
analyses (e.g. Mycroft's strictness analysis) are input/output relational analy- 
ses (also called dependence-sensitive analyses). Applications of abstractions of 
input/output relations have been developped, in particular for points-to alias 
analysis, using summary functions, see for instance [5]. 

Contents In Section [2j we quickly introduce the principles of affine arithmetic, 
and show the interest of a domain with explicit parametrization of zonotopes, 
compared to its geometric counterpart, through simple examples. Then in Sec- 
tion [3[ we state properties of affine sets. Introducing a matrix representation, we 
make the link between the affine sets and their zonotope concretisation. We then 
introduce perturbed affine sets, that will allow us to define a partially ordered 
structure. Starting with a thorough explanation of the intuition at Section 14.11 
we then describe the partial order relation in Section ^. 31 the monotonic abstract 
transfer functions in Section [4. 4i and the join operator in Section [4.5l For intrin- 
sic reasons, our abstract domain does not have least upper bounds, but minimal 
upper bounds. We show in Section 14.61 that a form of bounded-completeness 
holds that allows Kleene-like iteration for solving fixed point equations. By lack 
of space, we do not demonstrate here the behaviour of our abstract domain on 
fixed-point computations, but results on preliminary versions of our domain are 
described in [8113] - 

2 Abstracting input/output relations with affine 
arithmetic 

Affine arithmetic Affine arithmetic is an extension of interval arithmetic on 
affine forms, first introduced in [4], that takes into account affine correlations 
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between variables. An affine form is a formal sum over a set of noise symbols 



with af S R for all i. Each noise symbol stands for an independent component 
of the total uncertainty on the quantity x, its value is unknown but bounded 
in [-1,1]; the corresponding coefficient af is a known real value, which gives the 
magnitude of that component. The same noise symbol can be shared by several 
quantities, indicating correlations among them. These noise symbols can not 
only model uncertainty in data or parameters, but also uncertainty coming from 
computation. 

The semantics of affine operations is straightforward, non affine operations 
are linearized : we refer the reader to [11113) for more details on the semantics 
for static analysis. 

Introductory examples Consider the simple interprocedural program : 



In order to analyse this program precisely, we need to infer the relation 
between the input and output of function f , since the main function subtracts 
the input of f from its output. We will show in Section 14.11 that our method 
gives an accurate representation of such input/output relations, at low cost, 
easily proving here that main returns a number between -1 and 1. We will also 
show that even tight geometric representations of the image of f on [a , b] may 
fail to prove this. 

Another interest of our method is to allow compositional abstractions for 
interprocedural calls [BJ, making our domain very scalable. For instance, the 
abstract value for the output of f , as found in Section |4~T1 represents the fact 
that its value is the value of the input plus an unknown value in [-1,1]. In fact a 
little more might be found out, which would lay the basis for efficient disjunctive 
analyses, where we would find that the output of f is its input plus an unknown 
value in { — 1,1}. This is left for future work. This compact representation can 
be used as an abstract summary function (akin to the ones of [5] or of [5]) for f 
which can then be reused without re-analysis for each calls to f . The complete 
discussion of this aspect is nevertheless outside the scope of this paper. 

Last but not least, input/output relations that are dealt with by our method 
allow proofs of complex invariants, and test case generation at low cost. Consider 
for instance the following program, where g computes an approximation of the 
square root of x using a Taylor expansion of degree 2, centered at point 1: 



n 




1 = 1 



float mainO { 

float x G [-1,1] ; 
return f(x)-x; 

} 



float f (float x) { 
float y; 

if (x >= 0) y = x + 1; 
else y = x - 1; 
return y; } 
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float main() { 

float x € [1,2] , z, t; 
z = g(x) ; 
t = z*z-x; 
return t ; } 



float g(float x) { 
float y; 

y = 3/8. 0+3/4. 0*x-l/8 . 0*x*x 
return y; 



With our semantics, we will find the following abstract value for x, z and t: 

™ _ 3 i 1 ~ _ IE i 1, Lp nnrl f — 567 7_ 19_ _ 169 

2 2 fcl > ^ ~~ 16 " r 16 t;L 64 t2 allu 1 ~~ 8192 128 t;L 512 t2 8192 t3- 

This proves that z is within [if, ff] ~ [0.984,1.391] (real result is [1,1.375]), 
and that t is within [-^,|i|] ~ [-0.182,0.078] (real result is [-0.066,0]). 
This means that we get a rather precise estimate of the quality of the algorithm 
that approximates the square root. Finally, examining the dependency of t on 
the noise symbol modelling the input, we see that e\ = 1, that is x — 2, is 
the most likely value for reaching the maximum of t, in absolute value. This 
input value is thus a good test case to maximize the algorithmic error between 
the approximation of square root and the real square root. Here it does indeed 
correspond to the worst case. These applications are detailed in [7], and stronger 
statements about test case generation can be found in [12] , where a generalized 
form for abstract values is used for under-approximations. 



3 Affine sets and zonotopes : notations and properties 

In what follows, we introduce matrix notations to handle tuples of affine forms, 
which we call affine sets, and characterize the geometric concretisation of sets of 
values taken by these affine sets. 

We note Ai(n,p) the space of matrices with n lines and p columns of real 
coefficients. An affine set expressing the set of values taken by p variables over 
n noise symbols 1 < i < n, can be represented by a matrix A € M{n + l,p). 

For example, consider the affine set 

x = 20 - 4ei + 2e 3 + 3e 4 (1) 
y = 10-2£i+e 2 -e 4 , (2) 

/ 20 —4 2 3 \ 

we have n — 4, p = 2 and : A = I ^ 210 1/ ^ w0 ma t rrx multiplications 
will be of interest in what follows : 

— Au, where u £ W, represents a linear combination of our p variables, ex- 
pressed on the Si basis, 

— *Ae, where e £ R" +1 , eo = 1 and ||e||oo — rnaxo<i<„ |ej| < 1, represents the 
vector of actual values that our p variables take for the particular values 
ei for each of our Si noise variables. In this case, the additional symbol eo 
which is equal to 1, accounts for constant terms, as done for instance in the 
zone abstract domain 1181. 



We formally define the zonotopic concretisation of affine sets by 
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Definition 1. Let an affine set with p variables over n noise symbols, defined 
by a matrix A S M.(n + l,p). Its concretisation is the zonotope 

j(A) = {U*(l|e) | e e R n , IMU < 1} C W. 

We call its linear concretisation the zonotope centered on 

llln {A) = { l Ae | e G K ,l+1 , \\e\U < 1} C W. 

For example, Figure [1] represents the concretization of the affine set defined by 
([lj and |[2}. ft is a zonotope with center (20, 10) given by the vector of constant 
coefficients of the affine forms. 

15^ 



10 



10 



15 



21) 



25 



30 



Fig. 1. Zonotope concretization 7(A) of affine set {([I])-©} 

Zonotopes are particular bounded convex polyhedra [19) . A way to charac- 
terize convex shapes is to consider support functions. For any direction t € W, 
let pt the function which associates to all x € W, pt{x) = (t,x) where (., .) is 
the standard scalar product in K. p , meaning that pt{x) = X)f=i^ x i- Level-sets 
of support functions, i.e. sets defined by bounds on such functions characterize 
convex sets pQ, and nicely characterize zonotopes centered on 0: 

Lemma 1. Let S be a convex shape in R p . Then S can be characterized as the 
(possibly infinite) intersection HtGRp &t of half-spaces of the form 

B t = {xeR p \ Pt {x)< sup Pt {y)}} 
yes 

In case S is a zonotope centered around 0, it has finitely many faces with 
normals ti (1 < i < k), and this intersection is finite: 



s= n { 



xeW\ \ Pti {x)\ <svpp ti (y) 

yes 



Furthermore, there is an easy way to characterize the linear concretization 
ju„(A) (see also [TS]): 

Lemma 2. Given a matrix A S M(n + l,p), for allt £ W, snp yejiin ^ pt(y) = 
\\At\\i, where ||e||i = X)"=o l e *l * s ^1 norm - 



6 



Eric Goubault and Sylvie Putot 



Proof. First of all, ^u n (A) is the image of the unit disc for the L°° norm by 'A 
as we noted in Definition [TJ Therefore, 

sup pt(y) = sup { +1 .1 .1 }Pt (*Ae) 

We now have 

p t ('Ae) = (t, *Ae) = (At, e) = £ t " = o (E, P =i «,,',) * 
<Er=o Ej i "-,,- / .. ||e||oo = Pi||i||e||oo 

This bound is reached for ej = sign fEf=i a «,i^) > which is such that HeHoo = 1. 

□ 

We illustrate Lemma[5]in Figured Consider the matrix A 1 associated to afhnc 
set {(P)-©} without its center. Its affine concretisation is the same zonotope 
as "f(A) but centered on 0. For / £ R, t £ M. p , the (l,t)-leve\ set corresponds 
to points on the hyperplane defined by : for x £ W, pt(x) = (t,x) = I. This 
hyperplane is orthogonal to the line L t going through 0, with direction t. It 
intersects L t at a point y = Xt such that |ji||2 A = I. Given t a direction in 
ffi. 2 , the (Z,£)-level set that intersects "fii n (A') with maximal value for I realizes 
I = sup 7Wn M/\ Pt(y) = \\A't\\ 1 by LemmaH We now take three vectors t such that 
|| 1 1| 2 = 1. For ti — '(1,0), || A'ti\\ 1 — 9, we find the maximum of its concretisation 
on the x-axis to be 9. For t 2 = '(3/5,4/5), \\A't 2 \\i = 7/5, and j Un (A') C H t2 , 
where H t2 is the region (or band) between the line orthogonal to t 2 depicted as a 
blue dashed line and its symmetric with respect to zero. For £3 = *(2/\/40, 6/V40) 
which is orthogonal to a face of the zonotope, ||A'i3||i = 3/4 and ju n (A') C Ht 3 , 
which is the band between the two parallel faces in green. 

And indeed, for any matrix A, 'yu^A) is entirely described by providing the 
set of values ||At||i, where t varies among all directions in W : 

Lemma 3. For matrices X £ M.(n,p) and Y £ A4(m,p), we have yimiX) C 
"fHn{Y) if and only if \\Xu\\i < ||Yu||i for all u £ W. 

PROOF. Suppose first that ||-Xtt||i < ||Yu||i for all u £ W. By first part of 
Lemma [T] 

llm (X) = f]{x£ R" I Pt (x) £ [ inf p t (y), sup p t (y)}} 

t6R p yei[x) y^ x ) 

with s\rp yei{x) p t {y) = - \ni yei{x) Pt(y) = \\Xt\\ x by LemmaH Thus 
llm {X)= f| {x £ K" I \p t (x)\ < \\Xt\U} 

C f) {x £ R n I \p t (x)\ < \\Yt\U) = iu n {Y). 

temp 
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Fig. 2. Affine concretization ju n (A') of affine set ([! ]) - (|2 ]l without its center 
Conversely, suppose ju n (X) C jn n (Y). Then 

\\Xt\\i = sup p t (.x) < sup p t (x) = \\Yt\lx. 



□ 



4 Perturbed affine sets 
4.1 Rationale 

Let us get back to the program defining function f in Section [51 We introduce a 
noise symbol E\ to represent the range of values [—1,1] for x. Using for example 
the sub-optimal join operator described in Lemma [10] to come, the affine set 
for x and y at the end of the program will be x — e±, y = £\ + rji, with a new 
(perturbation) noise symbol r]i. The corresponding zonotope Z\ is depicted in 
solid red in Figure [3] 
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Fig. 3. Two abstractions for the result of example function f defined Section^ 



8 



Eric Goubault and Sylvie Putot 



Now, a better geometrical abstraction of the abstract value of (x,y) is the 
zonotope Z2 depicted in dashed blue in Figure [H Since y=x+l for positive x and 
y=x-l for negative x, we only have to include the two segments in solid dark in 
the smallest zonotope as possible. This is realized easily by a zonotope defined 
by the faces x — y G [— 1, 1] and y — 3x € [—3, 3]. Let us take a new symbol 772 
to represent x — y, and 773 to represent y — 3x. This gives x = — O.5772 — O.5773 
and y = — 1.5r]2 ~ O.5773. Although the corresponding blue zonotope Z2 is strictly 
included in the red zonotope Z\ , so it is geometrically more precise, we lose re- 
lations to the input values. Indeed, symbols £j express dependencies to inputs of 
the program, whereas symbols r\i do not. Thus, computing y minus the input of 
f , as in the main function of the example, gives — e% — I.5772 — O.5773 S [—3,3]. 
This range is far less precise than using the representation Z\, where we find 
that this difference is equal to 771 G [—1, 1]. 

If we were not interested in input/output relations, a classical abstraction 
based on affine sets would be using the geometrical ordering on zonotopes. We 
would say that affine set X is less or equal than Y iff "f(X) C 7(F). For the sake 
of simplicity in the present discussion, suppose that "f(X) and "f(Y) are centered 
on 0. By Lemmai we would then ask for \\Xt\\i < \\Yt\\i for all t G W. 

Now, being interested in input/output relations, we will keep the existing 
symbols used to express possible ranges of values of input variables (for instance, 
£1 defines the value of input variable x in the example above), and which should 
have a very strict interpretation, as well as the noise symbols due to (non linear) 
arithmetic operations. We call them the central noise symbols (such as £1). And, 
to express uncertainty on these relations due to possibly different execution 
paths, we will add additional noise symbols which we call perturbation noise 
symbols (such as 771 in the example above). 

We now define an ordered structure using these two sets of noise symbols. 

4.2 Definition 

We thus consider perturbed affine sets X as Minkowski sums |T of a central 
zonotope 7 (C x ) and of a perturbation zonotope (always centered on 0) ju n (P x ) : 

Definition 2. We define a perturbed affine set X by the pair of matrices 
(C X ,P X ) G M(n + l,p)x M(m,p). We call C x = (c^) < t <„, i<k< P the central 
matrix, and P x = (pfk)i<j<m, i<fc<p ^e perturbation matrix. 

The perturbed affine form n k (X) = c x k + YTi=\ c fk £ i + Yl]LiPfk e J> where 
the Si are the central noise symbols and the T)j the perturbation or union noise 
symbols, describes the k th variable of X. We call j(C x ) the central zonotope and 
Jiin(P X ) the perturbation zonotope. 

For instance Z\ as defined in Section fO] is described by C 1 = (1 1), P 1 = 
(0 1) (first column corresponds to variable x, second column, to y). Z2 is de- 



A Zonotopic Framework for Functional Abstractions 



9 



scribed by C 2 = (0 0) (the line corresponding to £i) and P 2 = 
(the first line corresponds to perturbation symbol 772, the second to 773). 

4.3 Ordered structure 

Expressing X less or equal than Y on these perturbed affine sets with the 
geometrical order yields 

- ||C y /;||i < ||P y t|| a - \\P x t\\i, Vt e «p. 

But many transformations that leave || C^t || 1 and ||C r i||i fixed for all t, and 
thus preserve that inequality, lose the intended meaning of the central noise 
symbols. We can fix this easily, by strengthening this preorder. Note that for all 
t, ||C* x t||i - ||C* y t||i < \\(C X - C Y )t\\i, so defining 

X < Y iff \\{C X - C Y )t\\ x < ||F Y t||i - ||F x t|!i 

should imply the geometrical ordering at least (as we will prove in Lemma [5]). 
The good point is that no transformation on the central noise symbols is al- 
lowed any longer using this preorder (as the characterization of the equivalence 
relation generated by this preorder will show, see Lemma H}, keeping a strict 
interpretation of the noise symbols describing the values of the input variables, 
hence the input/output relations. 

We now formalize and study this stronger order: 

Definition 3. Let X = (C X ,P X ), Y = (C Y ,P Y ) be two perturbed affine sets 
in M(n + l,p) X M(m,p). We say that X <Y iff 

sup (\\{C Y - C x )u\\i + llJ^ulh - ||P y u||i) < 

Coming back to our example of Section l4~T| 7(^2) Q l{Zi) but Z2 ^ Z\. Take for 
instance t = *(1,1). Then IKC 1 - C 2 )i||i + ||P 2 t||i - ||P^||i = 2 + 3-l = 4>0. 

Lemma 4. The binary relation < of Definition^ is a preorder. The equivalence 
relation generated by this preorder is X ~ Y iff by definition X < Y and Y < X . 
It can be characterized by C x — C Y and ju n (P X ) — liin{P Y ) (geometrically 
speaking, as sets). We still denote < / ~ by < in the rest of the text. 

Proof. Rcflcxivity of < is immediate. Suppose now X < Y and Y < Z, then 
for all ueW: 

\\(C Y - C x H|i < ||P y u||i - ||P x u||i 
\\{C z -C Y )u\\ x < \\P z u\\i - \\P Y u\\i 

Using the triangular inequality, we get 

\\(C Z - C^M, < \\(C Z - C^ulU + \\(C Y - C x )u\\! 

< \\P z u\\ 1 -\\P Y u\\ 1 + \\P Y u\\i-\\P x u\\ 1 

< ||P z n||i - HP^IIi 



f -0.5 -1.5\ 
1-0.5 -0.5 J 
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implying X < Z, hence transitivity of <. 

Finally, X < Y and Y < X imply that for all u G W, \\(C Y - C x )u||i is less 
or equal than ||P y w||i — ||P x u||i and is also less or equal than ||P x u| i— ||P y u||i. 
Hence (C y - C x )u = for all u, meaning C Y = C x and ||P x u||i = ||P y u||i 
for all u. By Lemma[3]this exactly means that j(P x ) = 7(P y ). □ 



Lemma 5. Take X = {C X ,P X ) and Y = [C , P ) . Then X < Y implies 



7 



C 



x 



P~ 



rU7 



or said in a different manner: r y{C x ) ® ju n (P X ) Q l{C Y ) ® JUn(P ) where 
denotes the Minkowski sum. Note that X < Y implies ju n (P x ) Q r yu n (P Y )- 



Proof. It is easy to prove that ju 



C x 



C' 1 



given that X < Y, 



pjL l — inn l pi 

using Lemma [3] and the triangular inequality for ||.||i. 

However, what we want is a little stronger. In-order to derive it, we define, 
for all matrix A of dimension (n+1) xp, a matrix A of dimension (n+ 1) x (p+ 1) 

by 



(l 



Vo 



.4 



/ 



The interest of this transformation, is that the zonotopic concretisation 7(A) is 
a particular face (which is the intersection with an hyperplane) of the 0-centered 
zonotope ^u n (A) : 

l{A) =7 lin (A)n{(l,xi,...,x 

' r c x \ fc* 



We now prove 7; 



P 



C 7;^ 



P 



X 



I (xi, ...,x p )e W}. (3) 
For all t = %t ,...,t p ) e w+1 



t\\ 



= \\C x t\\ 1 -\\C Y t\\ 1 + \\P x t\\ 1 -\\P Y t\\ 1 

= I t<3 +J2l=l C 0,k t k I - I ^0 + Efc=l C ^fe*fc I +\\( c f,k)i<i<-'i,l<k<p\tl, ■ ■ - t p )\\l 
-\\(Ci,kh<i<n,l<k<pXtl, ■ ..tp)\\l + \\P X th ~ ||P Y t||i 

< I Z)k=i c o,fc*fc ~ Sfc=i c o^fc I +ll(c5Ji<*<™a<fc<P*( < i> ■ ■ -*p)IIi 

-Il(crfc)l<i<n,l<fc<p < (tl, ■ • .*p)Hl + H^lll - ll^lll 

< \\(c Y - c^)t||i + \\P x t\u - \\P Y t\u < 



Hence by Lemma [31 ju 



C x \ 

pT ) ^ 7« 



C 



p- 



j which, by ©, implies the result. 



□ 
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The order we define is in fact essentially more complex than the inclusion 
ordering, while still being computable: 

Lemma 6. The partial order < is decidable, with a complexity bounded by a 
polynomial in p and an exponential in n + m. 

Proof. The problem can be solved using ( 2 (»+™)) linear programs. Let X = 
(C' x ,P X ), Y = {C Y ,P Y ) be two perturbed affine sets in M(n+l,p) xM(m,p). 
We want to decide algorithmically whether X < Y that is 

sup (\\(C Y - C x )u\\i + ||P x w||i - \\P Y u\\ x ) < 

Looking at the proof of Lemma we see that 

n ( P 

\Au\ x = sup ^2 I X"<- a, ! < ; 

{eGR-'+iJIeHoo^l} i=0 \j=l 

and that this bound is reached for e G R™ +1 such that for alH, e, = 1 or e, = — 1. 

We therefore produce, for each e E R n+1 , f E R m+1 and g € R m+1 , with, 
for all i, ej = 1 or = — 1, fi = 1 or /, = — 1 , = 1 or g,, = — 1, the following 
linear program: 

(n p m p m p 

i— J — 1 2=1 J — 1 i— 1 j — 1 

subject to 

p 



5>&-c&)«j U>0, V0<i<n 



v i=i 



V J'=1 

X''' .-"' j ^ > 0, VI < i < n 

that we solve using any linear program solver (with polynomial complexity) . 
We then check for each problem that it is either not satisfiable or its supremum 
is negative or zero. □ 



Hopefully, there is no need to use this general decision procedure in a static 
analyser by abstract interpretation. We refer the reader to the end of Section 
14.61 for a discussion on this point. 
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4.4 Extension of affine arithmetic on perturbed affine forms 

Interpretation of assignments and correctness issues Wc detail below the 
interpretation of arithmetic expressions, dealing first with affine assignments, 
that do not lose any precision. We use a very simple form for the multiplication. 
There are in fact more precise ways to compute assignments containing polyno- 
mial expressions. Firstly, the multiplication formula can be improved, see [8111] . 
Secondly, when interpreting a non- linear assignment, it is better in practice to 
introduce new noise symbols for the entire expression, and not for every non 
linear elementary operation as we present here. But for sake of simplicity, we 
do not describe this here. Note also that we would need formally to prove that 
projections onto a subset of variables (change of scope), and renumbering of 
variables are monotonic operations, but these are easy checks and we omit them 
here. Note finally that the proofs of monotonicity of our transfer functions are 
not only convenient for getting fixpoints for our abstract semantics functionals. 
They are also necessary for proving the correctness of our approach. As already 
stated in [11113] . the correctness criterion we need relies on the property that 
whenever X < Y are two perturbed affine sets, all future evaluations using ex- 
pressions e give smaller concretisations starting with X than starting with Y, 
i.e. 7([e]X) C 7([e]l"). This is proven easily as follows: as [e] is a composite of 
monotonic functions, [e]A < [e]F. The conclusion holds because of Lemma[5] 



Affine assignments We first define the assignment of a possibly unknown 
constant within bounds a, b € R to a (new) variable, x p +\ :— [a, b]: 

Definition 4. Let X = (C x ,P ) be a perturbed affine set in Ai{n + l,p) x 
M(m,p) and a, b e R. We define Z = {x p+1 = [a,b]jX e M(n + 2,p + 1) x 
M(m,p+ 1) with: 



JZ _ a+b Z 
-0,p+l 2 ' t,j 

Pf.k = Pf.k /'"' "U 3 = 1 
pI p +i = for all j = 1 



. , n, k = 1, 



c o,p+i = c t P +i =0 for all i = l,. 



i Z a — b| 

. , n ana c n+l p+1 — 2 



,m, k = l,...,p 
, m 



Or in block matrix form, C z = 



C 



x 



V o 



a+b \ 
2 \ 









p z = 




•) 









We carry on by addition, or more precisely, the operation interpreting the 
assignment x p +i := x\ + Xj and adding new variable x p +i to the affine set: 

Definition 5. Let X = (C x ,P X ) be a perturbed affine set in A4(n + l,p) x 
M{m,p). We define Z = [x p+1 = n + xjjX = (C Z ,P Z ) G M(n + l,p+l) x 
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M(m,p+ 1) by 



c 



x 




and P A 



P 



x 



V X - + V X - 



Finally, we give a meaning to the interpretation of assignments of the form 
x p+ i := Xxi, for A e R : 



Definition 6. Let X = (C x ,P X ) be a perturbed affine set in A4(n + l,p) x 
M(m,p). We define Z = \x p+1 = Xx t ]X = {C Z ,P Z ) G M(n + l,p + 1) x 
M(m,p+ 1) by 



Ha 



x 



and P z = P 



x 



Xpi 



Ac, 



x 



We can prove the correctness of our abstract semantics: 



Lemma 7. Operations X — > \x p+1 = [a, b]jX , X — > [ IX and 

X — > [xp+i = XxijX are increasing over perturbed affine sets. Moreover these 
three operations do not introduce over-approximations. 



Proof. Suppose we are given two perturbed affine sets X and Y such that 
X < Y. 

First, for constant assignments, we have, for all t € M p+1 : 

||(Cr[x,+i=[o,6]]jr _ Cf [* p+ i=[a,6]ii') t || 1 = _ c Y )t\\i 

<||P y t||i-||P^||i 

< ||p[!Ep+i = [a.6]]>'t|| 1 - ||p[!Ep+i = [<».6]]-X't|| 1 

which shows monotonicity of X — > \x p+ \ = [a, b]\X The concretisation of 
\x p+ \ = [a, b]j X is obviously exact. 

Now for addition of variables, we have, for all t G W +1 : 

\\(Cl x p+ l=x *+ x ^ x - C^ Xp+1=Xi+x ^ Y )t\\i = 

— X^ n I X^P +1 ( A x P+i= x i+ x il x _ Jx P +i=Xi+XjJY^ , 

— Z^Z=0 I l^k=Q\H,k c l,k ) bk I 

= ELo I ELo(4 - c lk)tk + « fc + i)f P+1 1 

= || (C — C ) (ti, . . . , ti + tp+i, . . . , tj + tp+i, . . . , i p )||i 

— Il-P^^l) •••)*» + tp+1, • • • , tj + tp+1, ■ • • , tp)||l 

— \\P xt (ti, ... ,ti + tp+i, . . . , tj + tp+i, tp) ||i 

= \\plxp+i=Xi+x 3 \Y -j-^^ _ nplxp+^Xi+XjlX^ 

which shows monotonicity of X — > [x p+ i = a;j + XjjX The concretisation of 
[xp+i = Xi + xjjX is obviously exact. 
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And finally, we have, for all t G R p+1 : 

En I / [xp + i=Ax»]X _ lx p+ i=\xiJY ^ , , 

1=0 I Z^k=Q\ c l.k c l,k ) Lk I 

= E?=o I £Lo(<& - < fc )t fc + Acjy p+1 1 
= || (C — C ) (ti, . . . ,ti + Xt p+ i, . . . ,t p )\\i 
— \\P \ti, . . . ,U + Afp+i, . . . , t p )\\ i 
-\\P xt (ti, ...,ti + Xt p+ i, . . . , t p )\\i 

= llpI^P+i^^l^l^ - ||pbp+i=Asi]-X- f || l 

which shows monotonicity of X — > [x p+ i = XxijX The concretisation of [x p+ i = 
\xi\X is obviously exact. □ 



Polynomial assignments The following operation defines the multiplication 
of variables Xi and Xj, appending the result to the perturbed afiine set X. All 
polynomial assignments can be defined using this and the previous operations. 



Definition 7. Let X = (C x ,P X ) be a perturbed affine set in M{n + l,p) x 
M(m,p). We define Z = (C Z ,P Z ) = {x p+1 = x t x XjjX G M(n + 2,p+l) x 
M(m+l,p+l) by : 

- k — c i k an d c n+i k ~ for all i = 0, . . . ,n and k = 1, . . . ,p 

z _ x y 

~ C 0,p+1 — c 0,i c 0,j 

- c i,p+i = ^,i c l,j + c l,A,j for all 1 = 1,..., n 

~ c n+l,p+l — El<r,Kn I C r,i c Lj I 

- Pi,k = Pi,k> Pm+i,k = and Pi, P +i = 0, for all I = 1, ... ,m and k = l,...,p 

~ Pm+l,p+l — El<r,Km I Pr,iPl,j I + Eo<Kn I C r,iPl,j I + Eo<Kn I PLi C r,j I 

Lemma 8. The operation X — ► [xp+i = Xj x Xj]A is increasing, and has a 
concretisation which contains the set of points of the form (xi,. .. , x p+ \) with 
(xi, . . . ,x p ) G j(X) and x p+ i = XiXj. 



Proof. Let X and Y be two perturbed afiine sets such that X < Y, and let 
U = [xp+i = Xi x Xj]X and T = \x p+ \ = Xi x Xj\Y. We compute for all 
t G R p+1 : 
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II (C T C z )t\\, = | £f=i«* - cfo)*, + (c^cfo - cfccfc) t p+1 | 

+ £Li I £f=i 

+ ( C CM C L) + C k,i C 0,j _ C 0,i C k,j ~ c k,i c 0,j) *P+1 I 
+ I £fc=l £"=1 (l C M C L I " I C M C M l) I 

<l£Lol£f=i(i- c w)^l 

+ I («i - cfojcfo + - c? )) t p+1 I 

+ ELi I «< f - c^)c* + c^(4 - c* ) 

+ ( c fc,i ~~ c k,i) c 0,j + C fc,i( C 0j ~~ c 0j))^P+l I 

+ I £fc=l £(=l((l c fc.i I — I c fc,i I) I c l,j I 

+ I (I <%J I - 1 \))tp+l I 
<llp^lll-ll^lll 

+ fer=oi^i) (Eioii-^ i)iwi 

+ (ELo I <£< l) (ELo I ^ - I) I Wi I 

But A < y so tt,(A) < 7Ti(y) and ^-(A) < tt^F). Therefore, 

(ELo I l) (EL, I - l) < IMC*)^ (IMP^lh - IMP^IIO 

and, 

(ELo I <, l) (ELo I - <i l) < lki(c y )||i (IMP y )lli - IMp x )IIi) 

Hence, 

||(C T - C z )t\U < \\P Y t\U + ||7r i (C x )|| 1 ||7r J -(P y )|| 1 | t p+1 | 
+ ||7r,(^)|| 1 || 7 r 4 (P y )|| 1 |i p+1 | 
H|P X *||iHM<? X )||iK(P*)||i |i p+ i I 
-K-(C y )|| 1 ||7r i (P JC )|| 1 |t p+1 | 

< \\P Y t\U + - A r )||i + 11^(^)11!) llTT^P^Il! | t p+1 | 

+ K-(C y )|| 1 ||7r i (P y )|| 1 |t p+1 | 
-\\P x t\\i-\\n i (C x )\\ 1 \\n j (P x )\\ 1 \t^ 1 \ 

(\\^(C X - C^)||! + |k-(C*)||l) W^P^h | tp+1 | 

< HP^IIi + (\\n i (P Y )\\ 1 \\w j (P Y )\\ 1 + \\n l (C Y )\\ 1 \\n 3 (P Y )\\ 1 
+ K-(C y )|| 1 ||7r i (P y )|| 1 )|t p+1 | 

-||P^||i + (|| 7 r 4 (P*)|| 1 || 7 r,(P x )|| 1 - || 7 r 4 (C x )|| 1 || 7 r,(P X )||i 

-hj(c x )hh i (P x )\\ 1 )\t p+1 \ 

Hence the result, since precisely: 

Pm+l,p+l = Yl I Pr.iPfj I + Yl I I + S I P li C lo I 

l<r,Km 0<r<n,KKm 0<l<n,l<r<m 

is also equal to 

|K l (P*)|| 1 |K,(P*)|| 1 + h^U^P^U + ||7r j (C*)|| 1 || 7 r i (P*)|| 1 
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Finally, the fact that the image of x p +i contains all the products Xi X Xj IS 
trivial. □ 



4.5 The join operator 

We first recall the definition of a minimal upper bound or mub: 

Definition 8. Let C be a partial order on a set X . We say that z is a mub of 
two elements x,y of X if and only if 

— z is an upper bound of x and y, i.e. x C z and y C z, 

— for all z' upper bound of x and y, z' C z implies z = z' . 

We give below an example of such mubs on perturbed affine sets. 

Example 1. Consider 

(1 + eA (l + 2eA /l + 1.5ei + 0.5ryi 

+ \l + 2 £l ) ^l + 1.5ei+0.5?7a 

Z is a mub for X and Y, given by a "midpoint" formula. 

This gives us an idea on how to find, in 0((n + m)p) time, a mub in some 
cases, or a tight upper bound, in all cases: 

Lemma 9. Let X = (C x ,P X ) and Y = (C Y ,P Y ) be two perturbed affine sets 
in Ai(n + l,p) x Ai(m,p). Upper bounds Z = (C Z ,P Z ) of X and Y satisfy: 

V* G R p , WP^h > \ (||(C y - C x )t\\ x + HP^IIx + HP^IIi) (4) 

When 7iin{P X ) = 'Yiin(P Y ), there exists a mub Z with P z satisfying Q) with 
equality; it is defined by Z — [C z , P z ) G M.{n + l,p) X Ai(m + n + l,p) with: 

~ c lk = 5 ( c h + c Y,k) for alli = 0,...,n, k = l,...,p 

- Pf+hk = Utfk - c J,k) forallj = 0,...,n,k = l,...,p 

- Pn+j+i,k = Pf,k forallj = l,...,m,k = l,...,p 

Proof. We begin by showing the following: let X = (C X ,P X ) and Y = 
(C Y ,P Y ) two perturbed affine sets in Ai{n + l,p) x A4(m,p). Minimal upper 
bounds Z = {C z , P z ) of X and Y satisfy: 

Vi G W, ||P z t||i > \ {\\{C Y - + \\P x t\\i + HP^IIi) (5) 

As X < Z and Y < Z, we have, for all t G W: 

||(C z -C x )i||i < ||P z i||i-||P x i||i (6) 

IKC^-C^tllx^llP^llx-llP^ll! (7) 
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So, 

\\{C Y - C x )t\\i < \\{C Z - C y )t||i + \\c z - c^th 
<2\\P z t\\ 1 ~\\P x t\\ 1 -\\P Y t\\ 1 

Therefore we have inequality [5J 

If ever we find Z = (C z ,P Z ) such that inequality [3] is in fact an equality, 
and such that Z is an upper bound of X and Y, then we are sure that Z is a 
mub. Since whenever we take another upper bound T of X and Y, T cannot 
possibly be strictly less than Z, for ||P z i||i — ||P T i||i < by inequality 

We notice that the equation on zonotope P z given by 

ll^lli = \ (\\{C Y - C x )t\\t + \\prth + ||P*t||i) 

trivially realizing inequality [5] as an equality, can easily be solved by taking PZ 
as the Minkowski sum of zonotopes given by C Y — C x , P Y and P x reduced in 
size by half. An easy choice is to make: 



P z = - 



1_( CY - CX \ 

2 / 



or any choice (with less noise symbols for instance) giving the same zonotope, 
geometrically. 

Now we have found a potential P z , we rewrite inequalities [S] and [7J 

\\(C Z - C x )t\U < \ %C Y - C x )t\\ x + \\pYt\U - \\P x t\\x) (8) 

\\(C Z - C Y )t\\ x < \ (\\(C Y - C x )t\\ 1 + \\P*t\\i \\P Y t\\r) (9) 

In case r )u n {P x ) = JUn(P )> inequalities [8] and [9] can be made into equal- 
ities, choosing C z to have entries being the mean of the corresponding en- 
tries of C x and C Y , exactly realizing \\(C Z - C x )£||i = i||(C y - C x )t\\ 1 = 
\\{C Z — C Y )t||i. In that case, we can choose for example 

pZ = (M cY cX : 



p j 



□ 



We do not fully discuss here the general case, but some intuition is given in 
Example [3] A good over-approximation of a mub is given by the above formula 
applied to X' = {C X ,P U ) and Y' = {C Y 1 P U ), where P u is such that ~f(P x ) U 
l{P Y )Ql(P u ). 

Example 2. Consider now: 

( l + 2ei \ Y= f 3 + ei \ 
\-l + e 1 -2e 2 ) \l + 2e 1 -e 2 ) 
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Using Lemma [9l we find 

Z = 

which is a mub indeed. It is depicted in Figure |4j 



2 + 1.5ei +7/1 - 0.5?72 
1.5ei - 1.5e 2 + Vi + 0.5r? 2 + 0.5% 



Convergence acceleration The trouble with Lemma[5]is that it may produce 
a lot of new noise symbols, thus being not always easily applicable. We thus 
introduce a less refined join operator, which also very often allows to accelerate 
fixpoint convergence. For any interval i, we note mid(i) its center. Let a A [3 
denote the minimum of the two real numbers, and a V (3 their maximum. We 
define 

argminj |(a, (3) = {7 £ [a A /3, a V 0\ , I7I minimal} 

Lemma 10. Let X = (C x , P x ) and Y = (C Y , P Y ) be two perturbed affine sets 
in M(n + l,p) x M(m,p). We define Z = (C Z ,P Z ) = XVY £ M(n + l,p) x 
M. (m + p, p) by: 

- c z k = mid(-f(7r k (X)) U 7(7r fc (y))) for all k = 1, . . . ,p 

- c f,k = ar g min \.\( c *k> c Xk) for alii = l,...,n, k = l,...,p 

- Pj.k = ar 9 min \.\(pf,k,Pj,k) for all j = l,...,m, k = l,...,p 

- Pm+j,i = S UP 7(^(^0) U j(TTj(Y)) - sup 7 (clj + YZ=x cf tj £j + 1 Pi,jVj) 
for all j = l,...,p 

~ Pm+j,k = f° r allj,k=l,...,p with j 

Then Z is an upper bound of X and Y such that for all k = 1, . . . ,p, 7(7T/ C (Z)) = 
7 (7r fc (X))U 7 (7r fc (y)) 

Proof. We prove that X < Z, the property that j(Tr k (Z)) = j(wk(X)) U 
7(7Tfe(F)) being easy to check (by construction!). Now, we want to prove nega- 
tivity, for all t £ W of: 

n p m p m p p 

E 1 E( c ^ - c ^)tk 1 +E 1 E^ i - E i IX*** i - E i pi+jjtj 1 

i=0 k=l 3 = 1 k=l j=l k=l j = l 

By the triangular inequality, the sum of the first 2 terms is less or equal to 

n p m p 

E 1 E«* - 1 + E 1 zZ^lk-pf^k 1 

i=0 k=l j = l k=l 

then using it again for each sum, is less or equal to 

Pin m \ 

Ei**i Ei c ^- c 5i+Ei^-^i 
k=i \i=i 3=1 j 
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But we know by [13] . section 3.5.1, where this operator for accelation of con- 
vergence was defined, that for all k = l,...,p, J27=o I c f,k ~ c f,k I +Sj=i I 
Pj,k ~ Pf,k 1^1 Pm+fe,fc !• So overall, this is less than £Li I P^+kJk I- □ 

This V operation may be sub-optimal, but the concretisations on each axis 
(i.e. the immediate concretisation of all program variables) are optimal. Also, 
while its cost of computation is still of 0((n + m)p), it may produce far less 
perturbation symbols, and may even kill over some of the central symbols. 

Example 3. Consider X and Y as defined in Example O 

Z' = XVY = (1-5 + ei + 1.5^ 
V £i - £2 + 2?72 / 

Note that (see Figure SJ Z 1 has the smallest possible concretisations on the x 
and y coordinates: respectively [—1,4] and [—4,4], which is strictly better than 
what we had with the mub Z in Example [5] (respectively [—1,5] and [—5,5]). 
But it does not share perturbation noise symbols, as Z does, and along direction 
t = '(— 1, 1), we find Z't = y — x € [—6, 3] which is not as good as we had with 
Z: Zt E [—5, 1]. In fact, Z and Z' are not comparable under <. But Z' is not a 
mub, just consider: 

z n = ( 1.5 + ei + 0.5^ + 77 2 \ 
V £i - £2 + Vi + V3 J 

We can prove that Z" < Z', and in fact, Z" is a mub. Z" has the smallest possible 
concretisations on the x and y axes as shown in Figure 21 but Z"t S [—5,2] which 
is not as accurate as Zt : Z and Z" are also incomparable. 

























Z" - 





















2 




1 j 








5> 




2- 






Y/ 





















Fig. 4. Z and Z" are mubs for X and Y, while Z' is not 



4.6 Kleene-like iteration schemes 

We first note that we have enough mubs so that to hope for a Kleene-like itera- 
tion: 
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Lemma 11. Let S be a bounded and countable directed set of perturbed affine 
sets all in M(n+l,p) x M.{m,p). Then there exists a minimal upper bound for 
S, given by the limit matrices lim X u = ( lim C u , lira P u ). 

u — >oo u — >oo u — >oo 

Proof. We thus have X a perturbed affine set and 

S = {Xq, . . . , X u , . . .} 
with X t <Xj<x for all i, j with i < j. Thus for all 

IKC'-CMIi < \\pn\\x - HP^lh 

This entails first that (||-f > "i||i)„ g/ v * s increasing. Also, as for all u, X u < 
X, this means that < \\{C X - C u )t\\i < \\P x t\\i - \\P u t\\i, so the sequence 
(\\P u t\\i) u£ N is also bounded by \\P t\\i. Hence it is converging for all t. 

This means also that || (C J — C l )i||i can be made as small as wanted with 
i and j sufficiently big, for all t. Hence, as (R p , is a Banach space, this 
means that for all t, C u t converges when u goes to the infinity. This entails 
the convergence of the sequence of matrices C u in the fixed dimension space 
A4(n+ l,p), similarly for P u in Ai(m,p). 

Note that this finite dimension requirement is necessary. As for polyhedra, 
an infinite union of zonotopes might not be a zonotope: just think of a zonotope 
with a growing number of faces, approximating a circle. 

The fact that the limit matrices define a minimal upper bound is an obvious 
consequence of the fact that the order < is closed in (A4(n + l,p) x Ai(m,p)) 2 , 
and of basic properties of limits. □ 



As we have only this form of bounded completeness, and not inconditional 
completeness, our iteration schemes will be parameterized by a large interval /: 
as soon as the current iterate leaves I p , we end iteration by T. 

The following formalizes the iteration scheme and stopping criterion used, 
parametrized by a join operator (for instance, the V operator defined in Lemma 
HQ]): 

Definition 9. Given an upper-bound operator U , the V -iteration scheme for a 
strict, continuous and increasing functional F on perturbed affine sets ( extended 
with a formal _L and T ), is as follows: 

— Start with Xq = _L 

— Then iterate: X u+ \ = X U UF(X U ) starting with u = 1 

• ifj(X u+ i) C j(X u ) then stop with X u+ \ 

• if "f(X u+ i) % I p , then end with T 

Note that our semantic operators only produce continuous and increasing 
functionals F . Also, initial and cyclic unfoldings are generally applied on top of 
this iteration scheme, so as to improve the precision of the analysis, see [8113] . 
and we cut the iteration after a finite time. We prove below the correctness of this 
scheme and of its stopping criterion. We also indicate its worst-case complexity: 



A Zonotopic Framework for Functional Abstractions 



21 



Lemma 12. Let F be a strict, continuous and increasing functional on perturbed 
affine sets. Consider the U -iteration scheme of Definition^ Then j(X u +i) C 
r y(X u ) can be checked in 0(p(n + m) 2 ) time, and guarantees that X u+ \ is a 
post- fixed point of F . 

Proof. We consider the countable and directed set S = {X u \ u G TV} where 
X u = UVqF^A-), If it is unbounded, the [/-iteration scheme will end up with T 
in a finite time. Otherwise, apply Lemma [TT1 Define G — FUId; it is continuous 
and G( lim X u ) = lim G(X U ) = lim X u , so the limit of the [/-iteration scheme 

u — >oo u — >oo u — >oo 

is a fixed-point of G, i.e. a post-fixed point of F. The test j(X u+ i) C 7(X U ), 
given that X u < X u+ i of course, is enough for checking if we reached the limit. 
We have already proven that if the stopping criterion is correct, then the U- 
iteration scheme converges towards T or towards a post-fixed point of F, in 
practise in finite time, since we always cut the iteration scheme after a fixed 
number of iterations. 

Suppose we apply our stopping criterion, i.e. 7(A u+ i) C j(X u ). But we have 
also X u < X u+1 . Then for all tel p , 

HC^+^Hi - < ||P x "+^||i - ||P x "t||i 

||(C*«+i _ C x «)t\\! < H^+HHi - ||P x "t||i 

Adding these two inequalities together, we find: 

WC^+Hh + \\(C X ^ - C*«)i||i < wc^th 

But the triangular inequality also shows the inverse inequality, therefore: 
IIC^+^Hi + \\(C X ^ - C x -)t||i = ||Cr x -t||i 

So we have also: 

||(C*«+i - C^tWx > ||P*«t||i - WP^+Hh 

This implies that for all t G W, \\(C x ^+ t -C x ")t||i = and = 
||P x " +1 £||i, i.e. X u+ i ~ X u . Hence this implies that if we stop using this crite- 
rion, then we stop at a postfixed point of F. □ 



In practice, we use the simpler 0((n+m)p) time test: Vfc — 1, . . . ,p, \\X u+ itk\\i < 
H-X^fcHi first, where tk is the vector with all entries, except at position k. It 
is only when this test is true that we compute the full test 7(X u _|_i) C ~f(X u ). 

Results on fixed-point computations, and comparisons with other abstract 
domains such as polyhedra, are described for preliminary versions of this domain 
in [8|13j . We plan to develop them for this domain in a longer version. 
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5 Conclusion and future work 

We set up a formal framework for a fast and accurate abstract analysis based 
on zonotopes. There are several directions from there. First of all, we did not 
thoroughly detail the best way to compute (minimal) upper bounds, this will be 
done in the longer version. 

Secondly, as can be noticed with the analysis of function f of Section [21 
the perturbation symbol rji can be associated with the if statement, with dis- 
crete values {—1, 1} expressing whether the control flow went through the true 
or the false branch. This can be generalized to encode some of the interesting 
(semantical) disjunctive information, necessary for reaching precise invariants. 

Third, a drawback of our domain is that tests are in general not interpreted. 
We are currently thinking of a simple and elegant extension, that would allow 
for computing accurate intersections. 

Last but not least, we plan to carry on the study initiated in [13j . Given a 
program implementing a concrete numerical scheme, our abstraction gives us a 
perturbed numerical scheme, that can be studied for convergence similarly to 
the concrete scheme. We started with linear recursive filters where we had very 
good results, but this is likely to extend to some non-linear iterative schemes of 
wide interest. 
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